You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Phil (Sphinx)" <sp...@mezimail.com> on 2006/05/28 20:20:05 UTC
Black Copy filtering problem
Hi there,
Our SpamA version is: 3.0.3 Running on Perl : 5.8.4.
Our serveurs only run Debian, stable, and are up to date.
We have got exim, clamscan, and SpamA. But we do not use any Procmail.
Since our mail server (www.mezimail.com) is supposed to be opened (free
service to promote OpenSource solutions), some spammers tried to create
accounts and sent spam from there.
So I searched (a lot) for solutions. I only found this one in the SA rules :
SARE_TOCC_BCC_MANY
in the 70_SARE_header0.cf file.
By default, the score is set to 0...
but, I really have problems with false positive !!
(for example mails sent from my serveur, with no address specified in
the bcc field, are tagged with that rule... !)
Then I looked at the SARE file.
There is no real rule to explain what happens :
meta SARE_TOCC_BCC_MANY __SARE_HEAD_FALSE
and that's all ! Where is the real rule ?
We also found references to the BCC in the SA Perl source code... but we
did not understand.
I looked on the internet...
Recently, I found that link :
http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200501.mbox/%3C20050116093705.4850.qmail@minotaur.apache.org%3E
Is it a reliable solution or just a test ?
I also tried to set up my own rule :
header NETW_BCC_MANY ^Bcc =~ /,.*,.*,/
describe NETW_BCC_MANY Bcc with multiple addresses
score NETW_BCC_MANY 5
but it does not work...
Thank by advanced for any help !
Cheers,
--
Philippe
www.mezimail.com admin
Re: Black Copy filtering problem
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Phil,
Sunday, May 28, 2006, 11:20:05 AM, you wrote:
PS> Hi there,
PS> So I searched (a lot) for solutions. I only found this one in the SA rules :
PS> SARE_TOCC_BCC_MANY
PS> in the 70_SARE_header0.cf file.
PS> By default, the score is set to 0...
PS> Then I looked at the SARE file.
PS> There is no real rule to explain what happens :
PS> meta SARE_TOCC_BCC_MANY __SARE_HEAD_FALSE
PS> and that's all ! Where is the real rule ?
That rule was moved from file 0 to file 3 with version 01.03.09, and
then archived with version 01.03.16 last October.
The rule is/was:
header SARE_TOCC_BCC_MANY Bcc =~ /,.*,.*,/
It was archived because it was hitting almost as much ham as spam.
Bob Menschel
Re: Black Copy filtering problem
Posted by Kai Schaetzl <ma...@conactive.com>.
Phil (Sphinx) wrote on Sun, 28 May 2006 20:49:41 +0200:
> I don't think they do not appear... because when I test it myself, with
> the SARE Bcc rule, it seems to work :
The bcc is either stripped out or ignored by an MTA if it is in the header
of a mail because it is useless there and can compromise privacy. The MTA
doesn't use it for delivery. From the MTA side it gets only one RCPT TO
after another, headers don't matter. If there are rules that check for the
bcc they cater for those spammers/spam software who mistakenly add this
header (and it doesn't get stripped before it reaches SA).
You will have to manage your restrictions mostly on the MTA side I guess
and it very much depends on which way those spammers send the mail. And as
a first I'd add some barrier in your "open source forge" management
software so that getting an account isn't *that* easy. After that think
about how they send mail, then you can determine which might be the best
way to stop them. You will most likely need to rely on what your MTA
offers you in terms of throttling connections, recipients and such.
Another measure which can help in detecting abuse is monitoring the number
of processes and the mail queue (outgoing spam typically increases the
queue quite a bit because there are always addresses that don't exist and
get resent over and over). Also, if you scan outgoing messages for spam
this should take care of most of the outgoing spam. What you need is a
strategy against spammer accounts, not an SA rule.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Black Copy filtering problem
Posted by Bart Schaefer <ba...@gmail.com>.
On 5/28/06, Phil (Sphinx) <sp...@mezimail.com> wrote:
>
> I really don't understand.
I haven't attempted to figure out what the SARE rule is doing, I'm afraid.
> Do you think I should ask the exim-users list ?
If the goal is to limit the volume of mail that any particular user
can cause to be delivered, and exim is your MTA, then yes, the exim
list would be the place to ask.
Re: Black Copy filtering problem
Posted by "Phil (Sphinx)" <sp...@mezimail.com>.
Hi,
Thanks for the quick answer.
Bart Schaefer a écrit :
> On 5/28/06, Phil (Sphinx) <sp...@mezimail.com> wrote:
>>
>> I also tried to set up my own rule : header NETW_BCC_MANY ^Bcc =~
>> /,.*,.*,/
>
> The Bcc header is stripped out by the transport system, so you can't
> compare on it directly.
Yes, I've learnt that later.
> What you have to discover is whether there are a lot of recipients in
> the SMTP envelope who do not appear in the To/Cc headers.
I don't think they do not appear... because when I test it myself, with
the SARE Bcc rule, it seems to work :
- I write a mail and send it using my own SMTP server
- I look at the SA analysis log file : I can see the rule matched...
I really don't understand.
>
> Generally this has to be done by the MTA (e.g. sendmail, exim,
> postfix, whatever) because the envelope is not available by the time
> SpamAssassin gets involved.
Yes I agree, I think it should be more reliable (as we can put anything
in the Data field of the mail, but not in the SMTP envelope).
But I did not find any real interesting thing on the internet...
Do you think I should ask the exim-users list ?
Cheers,
--
Philippe
www.mezimail.com
Re: Black Copy filtering problem
Posted by Bart Schaefer <ba...@gmail.com>.
On 5/28/06, Phil (Sphinx) <sp...@mezimail.com> wrote:
>
> I also tried to set up my own rule :
> header NETW_BCC_MANY ^Bcc =~ /,.*,.*,/
The Bcc header is stripped out by the transport system, so you can't
compare on it directly. What you have to discover is whether there
are a lot of recipients in the SMTP envelope who do not appear in the
To/Cc headers.
Generally this has to be done by the MTA (e.g. sendmail, exim,
postfix, whatever) because the envelope is not available by the time
SpamAssassin gets involved.